Deploy apps to enterprises using Google Play

A managed version of Google Play is used by enterprises and their employees to
access a rich ecosystem of work and productivity apps.

Android's built-in management features enable IT admins to fully manage devices
used exclusively for work. For personal devices and personally-enabled
work devices, admins can create and manage a separate work profile. Apps in
managed Google Play are installed in the work profile, giving admins full control
over the app and its data. Any apps or data outside the work profile remain
private to the user.

Enterprises can also use managed Google Play to securely deploy free apps to
their employees in bulk and bulk-purchase licenses for paid
apps*.

Managed Google Play and Android's enterprise features present significant
opportunities for developers from several domains, including:

Software vendors and ISVs: Independent companies that develop software
products or services to sell or distribute to enterprises.

Agency developers and system integrators (SI): Companies that develop
custom or semi-custom software, services, and solutions based on requirements
that an enterprise provides.

In-house enterprise developers: Developers working within the enterprise
to create software and solutions for internal distribution.

Google Play — a secure app distribution platform

Google Play has a proven track record of minimizing the risk of Potentially
Harmful Applications (PHAs) being installed on Android devices. The Android
Year in Review
report, published on the Google Security Blog
, shows how devices that install apps
exclusively from Google Play, rather than sideload unknown apps from other
sources, are at a much lower risk.

Together, Google Play and Android work to make your users' experiences on
Android safe by scanning every app published on Google Play for malware and
vulnerabilities. Google Play also ensures that app updates are always signed by
the original developer, avoiding app hijacking.

Best practices for managed Google Play

For all developers

Security

Security is a major concern for enterprises managing mobile apps and devices.
When developing an app for use in the workplace, remember that businesses are
more conscious of data security than ever before, especially when it comes to
features that share information with other services. To keep your app's data
secure, follow the best practices for security and privacy
. In particular:

Only use secure network protocols.

Use the default local storage in Android, rather than shared or external
storage.

If you're worried about abuse or have sensitive data, use the SafetyNet
Attestation APIs,
which enable your app to confirm that the device it's running on is authentic
and hasn't been compromised.

Work profile compatibility

A work profile is a logical space provisioned on an Android device that keeps
work and personal data separate. You may have to modify your app so it functions
reliably on a device with a work profile (see Set up Managed Profiles
for detailed best
practices). Many apps are already compatible, but always test your app with the
BasicManagedProfile sample app to be
sure.

Managed configurations

Your app should support managed configurations
, which let IT
admins remotely configure app settings for all users or individual users.
Examples of these setting include:

Server address and protocol settings: For example, a VPN client app can be
complex for a user to configure manually. Allow the IT admin to send the full
configuration bundle directly to the user's device. The user will then be able
to use the app immediately.

The ability to switch features on and off: For example, you might wish to
offer multiple cloud storage backends for your app, but an enterprise might
only want to allow use of the one they have purchased. So, allow them to block
the others.

Within the app, you specify which options can be configured and should publish
this information to managed Google Play.

If you update the managed configuration schema for your app, make sure it
remains backwards compatible. Maintaining this compatibility is desirable
because it's possible that various users will have different versions of your
app (at least temporarily), and IT admin will want a consistent remote
configuration experience between versions to ensure efficient management of
apps.

Distribution tools

Use the Google Play Console to upload,
manage, and publish your apps. The Play console comes with a wide range of
configuration options and testing features designed to help you provide the best
possible apps to your users.

Run internal, closed, and open tests
on updates to collect feedback from interal users or a subset of your external
users, then make improvements or corrections before releasing your app more
broadly.

Use staged rollouts
to release app updates to your user base gradually. If you run into problems,
you can halt the rollout at any time.

Learn more about the Play Console features
available to help publish and distribute your app.

For software vendors

As a Google Play developer, your free apps are automatically available to be
discovered and approved by IT admins. IT admins can then distribute those apps
to their workforces using managed Google Play.

If you have a paid app, you must opt-in and agree to the managed Google Play
Addendum
to the Developer Distribution Agreement to allow enterprises to bulk-purchase
your app*.

Get discovered

Managed Google Play is also embedded in many popular Enterprise Mobility
Management systems, such as Google Mobile Management
and VMWare
Airwatch,
which IT admins use daily to manage mobile devices and apps.

If your Android app is a companion app to a larger end-to-end service, then you
should describe your full service in your app's Play Store listing. Remember
that IT admins and users will read your app description to choose your whole
service and not just your Android app.

Get volume

Reach new audiences at scale with bulk deployments and bulk purchasing.
Businesses can use managed Google Play to deploy free apps in bulk to managed
devices. The managed Google Play Store also supports bulk purchases of paid
apps*.

New monetization opportunities

Enterprises are often interested in purchasing extended support for
business-critical apps, opening up new monetization opportunities. Depending on
your product or service, you can consider introducing pricing schemes for
extended features, extended hours, live contact, in-house training, or tiered
support levels.

For agency developers

Managed configurations for app customization

Managed configurations
can help customize apps for clients while minimizing the overhead of maintaining
multiple APKs. By using managed configurations to define the set of parameters
for app customization (for example, color scheme, UI strings, client logo,
switching different modules on and off, and so on), each client can have an
entirely different experience while you maintain a single APK.

Delegated access to your client's Google Play Developer account

If you're responsible for publishing and maintaining your clients' internal
apps, your client can configure delegated publishing access
to
their Google Play Developer account. You can then publish new or updated apps
directly, rather than sending your client APKs for them to publish. This
developer account access can be restricted to particular roles or particular
apps, so your client remains in control.

There's also a publishing API
that enables you to plug your publishing pipeline directly into the Play
publishing flow for your client.

For in-house enterprise developers

Private apps

Private
apps
are apps that are distributed to your organization only. They don't appear on
the public Play Store. Private apps are a great way for enterprises to use all
the power and scale of Google Play to deploy internal apps securely and
privately.

There's also an API to publish a private app for an enterprise. To learn more,
read Publish a private
app.

Google-hosted vs. self-hosted APKs

There are two options for hosting your app's APK. You can upload the APK to
Google Play and it distributes it securely to your users. Alternatively, you can
host the APK on your servers. You might wish to do this if you want to host the
APK on your premises, behind your firewall.

However, there are several benefits to hosting your APK on Google Play:

Google's app vulnerability scanning:
It's often difficult to tell what SDKs and libraries your developers used to
build an internal app. Also, developers may not always use best security
practices. Google's vulnerability scanning engine checks for many known
security vulnerabilities, giving you greater confidence in the security of
your app.

App update patches: Google optimizes the app updates that it serves to
devices, only sending the differences and compressing all data. This means
faster delivery of updates with lower data consumption.

Pre-launch reports:
After you upload and publish an app to the default closed testing track or
open testing track, a range of test devices in the Firebase Test Lab will
automatically launch and crawl your app for several minutes. The crawl will
perform basic actions every few seconds on your app, such as typing, tapping,
and swiping. This helps you check for any obvious crashing problems with your
app, on a range of popular Android devices.

In either case, the metadata about your app that's shown to your users in the
Play Store app on their managed device or work profile is stored in Google Play.

Deploying updates

Google Play makes it easy to deploy app updates. Auto-updates are enabled by
default on every Android device with Google Play installed. Just publish your
app update through the Google Play Console, and Google Play will automatically
do the rest.

It might take a few days for your app to be updated on every device. This is
because Google Play waits for the optimal time to update an app, such as when
the device is charging and on Wi-Fi.